diff --git a/CHANGELOG.md b/CHANGELOG.md index b5d45886da75..746e17df9b4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ **16 January 2026** +The following new articles support the public preview release of Copilot Memory: + +* [About agentic memory for GitHub Copilot](https://docs.github.com/copilot/concepts/agents/copilot-memory) +* [Enabling and curating Copilot Memory](https://docs.github.com/copilot/how-tos/use-copilot-agents/copilot-memory) + +
+ +**16 January 2026** + We published [About user offboarding on GitHub Enterprise Cloud](https://docs.github.com/en/enterprise-cloud@latest/admin/concepts/identity-and-access-management/user-offboarding) to give enterprise customers clear guidance about offboarding processes. The article covers recommended offboarding methods, the effects of offboarding, and what happens when a user is removed from all organizations in an enterprise. We also updated [Removing a member from your enterprise](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/removing-a-member-from-your-enterprise) and [Removing a member from your organization](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-membership-in-your-organization/removing-a-member-from-your-organization) to include instructions for enterprises that use Enterprise Managed Users or SCIM for organizations. diff --git a/content/admin/concepts/enterprise-fundamentals/automations-in-your-enterprise.md b/content/admin/concepts/enterprise-fundamentals/automations-in-your-enterprise.md new file mode 100644 index 000000000000..60c26ebe3cd1 --- /dev/null +++ b/content/admin/concepts/enterprise-fundamentals/automations-in-your-enterprise.md @@ -0,0 +1,135 @@ +--- +title: Automations in your enterprise +shortTitle: Automations +intro: 'Learn how {% data variables.product.prodname_github_apps %}, external services, and {% data variables.product.prodname_actions %} work together to automate processes in your enterprise.' +versions: + feature: enterprise-apps-public-beta +type: overview +topics: + - Enterprise + - Fundamentals +--- + +Automation on {% data variables.product.github %} typically involves multiple components working together. The most important {% data variables.product.github %} native components are: + +* **{% data variables.product.prodname_actions %} workflows**, which provide a runtime for executing automation logic. Out of the box, they work within a single repository, but they can be extended to automate across or even outside of repositories. +* **{% data variables.product.prodname_github_apps %}**, which do not have a runtime. Instead, they provide identity, permissions, and event delivery so your automations, whether external services or workflows, can authenticate and act securely. + +Most enterprise automation use {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_actions %} together. For example, a workflow running in {% data variables.product.prodname_actions %} may use a {% data variables.product.prodname_github_app %} to obtain a short-lived token that allows it to perform tasks across repositories or organizations. + +This guide explains how {% data variables.product.prodname_github_apps %}, external automations, and {% data variables.product.prodname_actions %} complement each other, and when to use each in your enterprise. + +## {% data variables.product.prodname_github_apps %} + +A {% data variables.product.prodname_github_app %} provides the **identity, permissions, and webhook events** required for automation on or across repositories, organizations, or your enterprise. {% data variables.product.prodname_github_apps %} themselves do **not** execute logic, they enable other systems to do so. + +{% data variables.product.prodname_github_apps %} support enterprise automation by offering: + +* **Granular permissions** to follow least-privilege principles +* **Scoped installations** at the enterprise, organization, or repository level +* **Short-lived tokens** for secure access +* **Distinct identities** with full auditability +* **Delegated administration** through the {% data variables.product.prodname_github_app %} manager role +* **Consistency at scale** when owned by the enterprise account + +### What do {% data variables.product.prodname_github_apps %} enable? + +{% data variables.product.prodname_github_apps %} allow **automations you write elsewhere**—such as external services or workflow steps—to act on {% data variables.product.github %} APIs within the permissions you grant. For example: + +* Receiving webhook events and triggering external services +* Enabling a workflow to act outside its default repository scope +* Integrating {% data variables.product.github %} with third-party systems +* Coordinating changes across many repositories +* Running long-lived bots or services that monitor enterprise-level activity + +{% ifversion enterprise-installed-apps %} + +> [!NOTE] +> Enterprise-installed {% data variables.product.prodname_github_apps %} cannot call every API endpoint. See [AUTOTITLE](/apps/using-github-apps/installing-a-github-app-on-your-enterprise#what-enterprise-installed-apps-can-do). + +{% endif %} + +## {% data variables.product.prodname_actions %} + +{% data variables.product.prodname_actions %} provide {% data variables.product.github %}’s built-in **runtime** for executing automation logic inside repositories. Workflows run on hosted or self-hosted runners and are ideal for tasks tied to code changes or repository events. + +Use {% data variables.product.prodname_actions %} for: + +* CI/CD (build, test, deploy) +* Pull request checks and validations +* Repository-level maintenance tasks +* Event-driven workflows responding to pushes, tags, or issue updates +* Scheduled jobs with cron + +### How {% data variables.product.prodname_actions %} uses {% data variables.product.prodname_github_apps %} + +{% data variables.product.prodname_actions %} and {% data variables.product.prodname_github_apps %} are deeply connected: + +* Workflow permissions map directly to {% data variables.product.prodname_github_app %} permissions. +* Workflows can authenticate as a specific {% data variables.product.prodname_github_app %} using `actions/create-github-app-token`. +* {% data variables.product.prodname_github_apps %} can trigger workflows through events such as `repository_dispatch`. + +## External automations and services + +External automations run outside {% data variables.product.github %} on your own infrastructure. These services typically: + +* Receive webhook events from a {% data variables.product.prodname_github_app %} +* Use the {% data variables.product.prodname_github_app %} to request short-lived installation tokens +* Execute long-running or cross-enterprise logic +* Integrate with external business systems + +Examples include: + +* Organization-wide configuration management +* Policy enforcement services +* Multi-repository code or metadata synchronization +* Compliance report generation +* Cross-organization issue or pull request management + +All of these rely on {% data variables.product.prodname_github_apps %} for authentication, identity, and events—**not** for execution. + +## How these components work together + +Most enterprise automation uses a combination of {% data variables.product.prodname_github_apps %}, external services, and {% data variables.product.prodname_actions %} to achieve robust, scalable workflows. + +For example: + +1. An enterprise {% data variables.product.prodname_github_app %} receives a webhook when a new repository is created, and sends the webhook payload to a server where an external service is running. +1. The external service standardizes required settings and provisions resources. +1. The service triggers a {% data variables.product.prodname_actions %} workflow in the repository. +1. The workflow performs CI, deploys templates, or configures scanning. + +Each component handles a different layer of automation. + +## When to use each type of automation + +Use **a {% data variables.product.prodname_github_app %}** when you need: + +* Authentication or permission to act across many repositories +* Integration with external systems +* Webhook-driven automations +* Long-lived or enterprise-wide workflows +* Auditability and identity separation + +Use **external automations** when you need: + +* Logic that runs continuously or outside {% data variables.product.github %} +* Integration with internal systems + +Use **{% data variables.product.prodname_actions %}** when you need: + +* CI/CD pipelines +* Repository-scoped automation +* Automated checks tied to repository events +* Execution of logic using {% data variables.product.github %}’s runner infrastructure + +Use **{% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_actions %} together** when: + +* A workflow must act beyond the repository’s default permissions +* A {% data variables.product.prodname_github_app %} needs to trigger a workflow +* External logic orchestrates in-repo execution +* Enterprise-wide policies or workflows require both identity and runtime + +## Next steps + +Learn how to design and manage {% data variables.product.prodname_github_apps %} at the enterprise level in [AUTOTITLE](/admin/managing-your-enterprise-account/creating-github-apps-for-your-enterprise). diff --git a/content/admin/concepts/enterprise-fundamentals/index.md b/content/admin/concepts/enterprise-fundamentals/index.md index ee403e87f598..192ea7c4e057 100644 --- a/content/admin/concepts/enterprise-fundamentals/index.md +++ b/content/admin/concepts/enterprise-fundamentals/index.md @@ -11,5 +11,6 @@ children: - /enterprise-accounts - /teams-in-an-enterprise - /roles-in-an-enterprise + - /automations-in-your-enterprise contentType: concepts --- diff --git a/content/apps/using-github-apps/installing-a-github-app-on-your-enterprise.md b/content/apps/using-github-apps/installing-a-github-app-on-your-enterprise.md index 201281ae723b..9ff35367ea85 100644 --- a/content/apps/using-github-apps/installing-a-github-app-on-your-enterprise.md +++ b/content/apps/using-github-apps/installing-a-github-app-on-your-enterprise.md @@ -32,15 +32,7 @@ After installation, the app will be able to create an installation token for you ## What enterprise-installed apps can do -Enterprise-installed {% data variables.product.prodname_github_apps %} cannot call every enterprise API, but several APIs have already been updated to support GitHub Apps. These APIs and GraphQL mutations include: - -* [List and create organizations in your enterprise](/graphql/reference/mutations#createenterpriseorganization) -* [Manage users in your enterprise](/graphql/reference/objects#enterprise) -* Create and manage {% data variables.product.prodname_github_app %} installations in your organizations -* Manage enterprise custom repository properties -* Call the enterprise SCIM APIs - -Check the [changelog](https://github.blog/changelog/) for updates on new APIs and permissions for {% data variables.product.prodname_github_apps %}. +{% data reusables.enterprise-accounts.enterprise-apps-capabilities %} For more information about available permissions and API endpoints, see [AUTOTITLE](/rest/authentication/permissions-required-for-github-apps). diff --git a/content/enterprise-onboarding/github-apps/automations-in-your-enterprise.md b/content/enterprise-onboarding/github-apps/automations-in-your-enterprise.md new file mode 100644 index 000000000000..a97dcb3943b0 --- /dev/null +++ b/content/enterprise-onboarding/github-apps/automations-in-your-enterprise.md @@ -0,0 +1,17 @@ +--- +title: Automations in your enterprise +shortTitle: Automations +intro: 'Learn how {% data variables.product.prodname_github_apps %}, external services, and {% data variables.product.prodname_actions %} work together to automate processes in your enterprise.' +versions: + ghec: '*' +type: overview +topics: + - Enterprise + - Fundamentals +--- + +{% data reusables.enterprise-onboarding.automations %} + +## Next steps + +To create {% data variables.product.prodname_github_apps %} that can access enterprise-level resources and automate workflows, see [AUTOTITLE](/enterprise-onboarding/github-apps/create-enterprise-apps). diff --git a/content/enterprise-onboarding/github-apps/index.md b/content/enterprise-onboarding/github-apps/index.md index f320c5b5ceed..4a6dc10b394b 100644 --- a/content/enterprise-onboarding/github-apps/index.md +++ b/content/enterprise-onboarding/github-apps/index.md @@ -9,6 +9,7 @@ topics: - Enterprise - GitHub Apps children: + - /automations-in-your-enterprise - /create-enterprise-apps - /install-enterprise-apps --- \ No newline at end of file diff --git a/data/reusables/enterprise-accounts/enterprise-apps-capabilities.md b/data/reusables/enterprise-accounts/enterprise-apps-capabilities.md new file mode 100644 index 000000000000..088a2d6c6bbc --- /dev/null +++ b/data/reusables/enterprise-accounts/enterprise-apps-capabilities.md @@ -0,0 +1,9 @@ +Enterprise-installed {% data variables.product.prodname_github_apps %} cannot call every enterprise API, but several APIs have already been updated to support {% data variables.product.prodname_github_apps %}. These APIs and GraphQL mutations include: + +* [List and create organizations in your enterprise](/graphql/reference/mutations#createenterpriseorganization) +* [Manage users in your enterprise](/graphql/reference/objects#enterprise) +* Create and manage {% data variables.product.prodname_github_app %} installations in your organizations +* Manage enterprise custom repository properties +* Call the enterprise SCIM APIs + +Check the [changelog](https://github.blog/changelog/) for updates on new APIs and permissions for {% data variables.product.prodname_github_apps %}. diff --git a/data/reusables/enterprise-accounts/github-apps-tab.md b/data/reusables/enterprise-accounts/github-apps-tab.md index 59f8acf85498..8ce0f568119f 100644 --- a/data/reusables/enterprise-accounts/github-apps-tab.md +++ b/data/reusables/enterprise-accounts/github-apps-tab.md @@ -1 +1 @@ -1. In the left sidebar, click **{% octicon "apps" aria-hidden="true" %} GitHub Apps**. +1. In the left sidebar, click **{% octicon "apps" aria-hidden="true" %} {% data variables.product.prodname_github_apps %}**. diff --git a/data/reusables/enterprise-onboarding/automations.md b/data/reusables/enterprise-onboarding/automations.md new file mode 100644 index 000000000000..e7d8b700fdc4 --- /dev/null +++ b/data/reusables/enterprise-onboarding/automations.md @@ -0,0 +1,119 @@ +Automation on {% data variables.product.github %} typically involves multiple components working together. The most important {% data variables.product.github %} native components are: + +* **{% data variables.product.prodname_actions %} workflows**, which provide a runtime for executing automation logic. Out of the box, they work within a single repository, but they can be extended to automate across or even outside of repositories. +* **{% data variables.product.prodname_github_apps %}**, which do not have a runtime. Instead, they provide identity, permissions, and event delivery so your automations, whether external services or workflows, can authenticate and act securely. + +Most enterprise automation use {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_actions %} together. For example, a workflow running in {% data variables.product.prodname_actions %} may use a {% data variables.product.prodname_github_app %} to obtain a short-lived token that allows it to perform tasks across repositories or organizations. + +This guide explains how {% data variables.product.prodname_github_apps %}, external automations, and {% data variables.product.prodname_actions %} complement each other, and when to use each in your enterprise. + +## {% data variables.product.prodname_github_apps %} + +A {% data variables.product.prodname_github_app %} provides the **identity, permissions, and webhook events** required for automation on or across repositories, organizations, or your enterprise. {% data variables.product.prodname_github_apps %} themselves do **not** execute logic, they enable other systems to do so. + +{% data variables.product.prodname_github_apps %} support enterprise automation by offering: + +* **Granular permissions** to follow least-privilege principles +* **Scoped installations** at the enterprise, organization, or repository level +* **Short-lived tokens** for secure access +* **Distinct identities** with full auditability +* **Delegated administration** through the {% data variables.product.prodname_github_app %} manager role +* **Consistency at scale** when owned by the enterprise account + +### What do {% data variables.product.prodname_github_apps %} enable? + +{% data variables.product.prodname_github_apps %} allow **automations you write elsewhere**—such as external services or workflow steps—to act on {% data variables.product.github %} APIs within the permissions you grant. For example: + +* Receiving webhook events and triggering external services +* Enabling a workflow to act outside its default repository scope +* Integrating {% data variables.product.github %} with third-party systems +* Coordinating changes across many repositories +* Running long-lived bots or services that monitor enterprise-level activity + +{% ifversion enterprise-installed-apps %} + +> [!NOTE] +> Enterprise-installed {% data variables.product.prodname_github_apps %} cannot call every API endpoint. See [AUTOTITLE](/apps/using-github-apps/installing-a-github-app-on-your-enterprise#what-enterprise-installed-apps-can-do). + +{% endif %} + +## {% data variables.product.prodname_actions %} + +{% data variables.product.prodname_actions %} provide {% data variables.product.github %}’s built-in **runtime** for executing automation logic inside repositories. Workflows run on hosted or self-hosted runners and are ideal for tasks tied to code changes or repository events. + +Use {% data variables.product.prodname_actions %} for: + +* CI/CD (build, test, deploy) +* Pull request checks and validations +* Repository-level maintenance tasks +* Event-driven workflows responding to pushes, tags, or issue updates +* Scheduled jobs with cron + +### How {% data variables.product.prodname_actions %} uses {% data variables.product.prodname_github_apps %} + +{% data variables.product.prodname_actions %} and {% data variables.product.prodname_github_apps %} are deeply connected: + +* Workflow permissions map directly to {% data variables.product.prodname_github_app %} permissions. +* Workflows can authenticate as a specific {% data variables.product.prodname_github_app %} using `actions/create-github-app-token`. +* {% data variables.product.prodname_github_apps %} can trigger workflows through events such as `repository_dispatch`. + +## External automations and services + +External automations run outside {% data variables.product.github %} on your own infrastructure. These services typically: + +* Receive webhook events from a {% data variables.product.prodname_github_app %} +* Use the {% data variables.product.prodname_github_app %} to request short-lived installation tokens +* Execute long-running or cross-enterprise logic +* Integrate with external business systems + +Examples include: + +* Organization-wide configuration management +* Policy enforcement services +* Multi-repository code or metadata synchronization +* Compliance report generation +* Cross-organization issue or pull request management + +All of these rely on {% data variables.product.prodname_github_apps %} for authentication, identity, and events—**not** for execution. + +## How these components work together + +Most enterprise automation uses a combination of {% data variables.product.prodname_github_apps %}, external services, and {% data variables.product.prodname_actions %} to achieve robust, scalable workflows. + +For example: + +1. An enterprise {% data variables.product.prodname_github_app %} receives a webhook when a new repository is created, and sends the webhook payload to a server where an external service is running. +1. The external service standardizes required settings and provisions resources. +1. The service triggers a {% data variables.product.prodname_actions %} workflow in the repository. +1. The workflow performs CI, deploys templates, or configures scanning. + +Each component handles a different layer of automation. + +## When to use each type of automation + +Use **a {% data variables.product.prodname_github_app %}** when you need: + +* Authentication or permission to act across many repositories +* Integration with external systems +* Webhook-driven automations +* Long-lived or enterprise-wide workflows +* Auditability and identity separation + +Use **external automations** when you need: + +* Logic that runs continuously or outside {% data variables.product.github %} +* Integration with internal systems + +Use **{% data variables.product.prodname_actions %}** when you need: + +* CI/CD pipelines +* Repository-scoped automation +* Automated checks tied to repository events +* Execution of logic using {% data variables.product.github %}’s runner infrastructure + +Use **{% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_actions %} together** when: + +* A workflow must act beyond the repository’s default permissions +* A {% data variables.product.prodname_github_app %} needs to trigger a workflow +* External logic orchestrates in-repo execution +* Enterprise-wide policies or workflows require both identity and runtime